adulau/misp-circl-feed
1
0
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages Wiki Activity Actions
misp-circl-feed/feeds/circl/stix-2.1/5c225981-ae64-4141-8a37-430a02de0b81.json

518 lines
No EOL
24 KiB
JSON
Raw Blame History

{
"type": "bundle",
"id": "bundle--5c225981-ae64-4141-8a37-430a02de0b81",
"objects": [
{
"type": "identity",
"spec_version": "2.1",
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:46.000Z",
"modified": "2018-12-26T21:42:46.000Z",
"name": "CIRCL",
"identity_class": "organization"
},
{
"type": "report",
"spec_version": "2.1",
"id": "report--5c225981-ae64-4141-8a37-430a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:46.000Z",
"modified": "2018-12-26T21:42:46.000Z",
"name": "OSINT - Destructive Shamoon Malware Continues its Return with a New Anti-American Message",
"published": "2018-12-26T21:42:48Z",
"object_refs": [
"observed-data--5c225990-7df0-46a3-8fee-4cb202de0b81",
"url--5c225990-7df0-46a3-8fee-4cb202de0b81",
"x-misp-attribute--5c2259a6-f400-4bce-ac8d-493102de0b81",
"observed-data--5c225a92-e620-4078-96a5-4d8402de0b81",
"x509-certificate--5c225a92-e620-4078-96a5-4d8402de0b81",
"observed-data--5c225d74-4938-48b1-a404-4e9802de0b81",
"file--5c225d74-4938-48b1-a404-4e9802de0b81",
"observed-data--5c225d74-ed64-4f4b-8094-4e9a02de0b81",
"file--5c225d74-ed64-4f4b-8094-4e9a02de0b81",
"indicator--5c225a33-d8ec-4e9d-9c63-42fe02de0b81",
"indicator--5c225a67-c328-4d9e-9076-a51902de0b81",
"indicator--5c225af5-c140-458f-b353-4e1d02de0b81",
"x-misp-object--8d89302c-d05e-4557-85ae-4717b031f335",
"x-misp-object--d6dc565c-ce26-46ea-ad7b-4fd231f06f72",
"x-misp-object--d6f1dcfb-ad11-482d-b7af-105f27616350",
"x-misp-object--6672ba95-da71-4081-8a5c-34ce8863a146",
"x-misp-object--331ae947-e60d-48b4-9b21-325c2acde6ce",
"x-misp-object--c3943d4b-93b1-4f83-b1db-a683329ce623",
"relationship--f3bb2290-aeac-4fe2-8c8d-22adf9ba329f",
"relationship--4070241f-4f70-4c32-b510-749e82e6ea7a",
"relationship--c6a11ff5-ce64-404d-b8fd-17fa451c3cac",
"relationship--4d5662f1-7b32-4dea-9c33-a25a0aa348bd"
],
"labels": [
"Threat-Report",
"misp:tool=\"MISP-STIX-Converter\"",
"type:OSINT",
"osint:source-type=\"blog-post\"",
"misp-galaxy:tool=\"Shamoon\"",
"misp-galaxy:mitre-enterprise-attack-malware=\"Shamoon\"",
"estimative-language:confidence-in-analytic-judgment=\"moderate\""
],
"object_marking_refs": [
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
]
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c225990-7df0-46a3-8fee-4cb202de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:23:44.000Z",
"modified": "2018-12-25T16:23:44.000Z",
"first_observed": "2018-12-25T16:23:44Z",
"last_observed": "2018-12-25T16:23:44Z",
"number_observed": 1,
"object_refs": [
"url--5c225990-7df0-46a3-8fee-4cb202de0b81"
],
"labels": [
"misp:type=\"link\"",
"misp:category=\"External analysis\""
]
},
{
"type": "url",
"spec_version": "2.1",
"id": "url--5c225990-7df0-46a3-8fee-4cb202de0b81",
"value": "https://www.anomali.com/blog/destructive-shamoon-malware-continues-its-return-with-a-new-anti-american-message"
},
{
"type": "x-misp-attribute",
"spec_version": "2.1",
"id": "x-misp-attribute--5c2259a6-f400-4bce-ac8d-493102de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:24:06.000Z",
"modified": "2018-12-25T16:24:06.000Z",
"labels": [
"misp:type=\"text\"",
"misp:category=\"External analysis\""
],
"x_misp_category": "External analysis",
"x_misp_type": "text",
"x_misp_value": "Anomali Labs in its continued hunt for the destructive Shamoon malware, has identified a new Shamoon malware sample that uses an image of a burning US Dollar as part of its destructive attack. Historic versions of the Shamoon destructive wiper have utilized images of a burning American flag and the drowned Syrian refugee and child Alan Kurdi as part of targeted attacks attributed to the Iranian State. The image includes the text \"WE WILL TAKE REVENGE ON THE BLOOD AND TEARS OF OUR CHILDREN\" which is displayed in tandem with the overwriting of files on a victim's system.\r\n\r\nThe newest Shamoon sample was uploaded from France on December 23, 2018 and utilizes the commercial packing tool Enigma version 4 as a means of obfuscation. As observed in previous Shamoon samples the internal file name invokes a known PC tool, likely as a lure to allay initial user suspicion. In this case the malicious internal file name is \"Baidu PC Faster\" and uses the description \"Baidu WiFi Hotspot Setup\". A closer inspection of the file resources utilized by the sample reveals similarities with Shamoon V2 malware. Specifically, the resource \"GRANT\" is included which indicates that this sample was like compiled based on the second version of the codebase."
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c225a92-e620-4078-96a5-4d8402de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:28:02.000Z",
"modified": "2018-12-25T16:28:02.000Z",
"first_observed": "2018-12-25T16:28:02Z",
"last_observed": "2018-12-25T16:28:02Z",
"number_observed": 1,
"object_refs": [
"x509-certificate--5c225a92-e620-4078-96a5-4d8402de0b81"
],
"labels": [
"misp:type=\"x509-fingerprint-sha1\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "x509-certificate",
"spec_version": "2.1",
"id": "x509-certificate--5c225a92-e620-4078-96a5-4d8402de0b81",
"hashes": {
"SHA-1": "4b953f30f1de4dfef894b136daa155ceafc243a0"
}
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c225d74-4938-48b1-a404-4e9802de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:40:20.000Z",
"modified": "2018-12-25T16:40:20.000Z",
"first_observed": "2018-12-25T16:40:20Z",
"last_observed": "2018-12-25T16:40:20Z",
"number_observed": 1,
"object_refs": [
"file--5c225d74-4938-48b1-a404-4e9802de0b81"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c225d74-4938-48b1-a404-4e9802de0b81",
"name": "gfxprc_X64_pro.exe"
},
{
"type": "observed-data",
"spec_version": "2.1",
"id": "observed-data--5c225d74-ed64-4f4b-8094-4e9a02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:40:20.000Z",
"modified": "2018-12-25T16:40:20.000Z",
"first_observed": "2018-12-25T16:40:20Z",
"last_observed": "2018-12-25T16:40:20Z",
"number_observed": 1,
"object_refs": [
"file--5c225d74-ed64-4f4b-8094-4e9a02de0b81"
],
"labels": [
"misp:type=\"filename\"",
"misp:category=\"Artifacts dropped\""
]
},
{
"type": "file",
"spec_version": "2.1",
"id": "file--5c225d74-ed64-4f4b-8094-4e9a02de0b81",
"name": "gfxprc_X64.exe"
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c225a33-d8ec-4e9d-9c63-42fe02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:44.000Z",
"modified": "2018-12-26T21:42:44.000Z",
"description": "Shamoon (Packed)",
"pattern": "[file:hashes.MD5 = 'd0c3852e376423247ae45c24592880b6' AND file:hashes.SHA1 = '7335b8bdc62f35e2579ba18b91dc6227c586ef75' AND file:hashes.SHA256 = 'f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-12-26T21:42:44Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c225a67-c328-4d9e-9076-a51902de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:45.000Z",
"modified": "2018-12-26T21:42:45.000Z",
"description": "Shamoon (Unpacked)",
"pattern": "[file:hashes.MD5 = '5711ac3dd15b019f558ec29e68d13ca9' AND file:hashes.SHA1 = 'b18b92a25078aa5f23a9987fd9038440b58b9566' AND file:hashes.SHA256 = 'c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9' AND file:x_misp_state = 'Malicious']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-12-26T21:42:45Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "file"
}
],
"labels": [
"misp:name=\"file\"",
"misp:meta-category=\"file\"",
"misp:to_ids=\"True\""
]
},
{
"type": "indicator",
"spec_version": "2.1",
"id": "indicator--5c225af5-c140-458f-b353-4e1d02de0b81",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:29:41.000Z",
"modified": "2018-12-25T16:29:41.000Z",
"pattern": "[x509-certificate:hashes.SHA1 = '4b953f30f1de4dfef894b136daa155ceafc243a0' AND x509-certificate:issuer = 'CN=VeriSign Class 3 Code Signing 2010 CA, OU=Terms of use at https://www.verisign.com/rpa c10, OU=VeriSign Trust Network, O=\\\\\"VeriSign, Inc.\\\\\", C=US\r\nSerial: 5faee9e83f32948f3b2040ac6df0145c' AND x509-certificate:serial_number = '5faee9e83f32948f3b2040ac6df0145c' AND x509-certificate:subject = 'CN=\\\\\"Baidu Online Network Technology Beijing Co.,Ltd.\\\\\", OU=Baidu security, O=\\\\\"Baidu Online Network Technology Beijing Co.,Ltd.\\\\\", L=Beijing, ST=Beijing, C=CN']",
"pattern_type": "stix",
"pattern_version": "2.1",
"valid_from": "2018-12-25T16:29:41Z",
"kill_chain_phases": [
{
"kill_chain_name": "misp-category",
"phase_name": "network"
}
],
"labels": [
"misp:name=\"x509\"",
"misp:meta-category=\"network\"",
"misp:to_ids=\"True\""
]
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--8d89302c-d05e-4557-85ae-4717b031f335",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:35:15.000Z",
"modified": "2018-12-25T16:35:15.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-24T12:02:45",
"category": "Other",
"uuid": "24757b25-e392-4525-b407-8c37aeb11fe7"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/",
"category": "External analysis",
"uuid": "ff29c3a5-6fd7-433f-8a09-c432727c88ca"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "17/69",
"category": "Other",
"uuid": "582751d6-7f02-4f98-ad88-85bb6f4a62b0"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d6dc565c-ce26-46ea-ad7b-4fd231f06f72",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-25T16:35:16.000Z",
"modified": "2018-12-25T16:35:16.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-24T15:16:39",
"category": "Other",
"uuid": "c5f5eb09-38ee-4bfa-b02e-d0df84f64dde"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545664599/",
"category": "External analysis",
"uuid": "c78c0cb0-5e91-4886-ab6e-4fcd5558c7a3"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "14/68",
"category": "Other",
"uuid": "55f75f6c-75a4-48e7-806d-9323b916f2d7"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--d6f1dcfb-ad11-482d-b7af-105f27616350",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:27:50.000Z",
"modified": "2018-12-26T21:27:50.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-24T12:02:45",
"category": "Other",
"uuid": "a92b6f8d-367f-47bf-bc24-d7ba884d1cd6"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/",
"category": "External analysis",
"uuid": "38ef2af6-3419-4fcf-a241-310d4927f1c9"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "17/69",
"category": "Other",
"uuid": "efec593f-48cd-433f-97aa-bde26003aa72"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--6672ba95-da71-4081-8a5c-34ce8863a146",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:27:51.000Z",
"modified": "2018-12-26T21:27:51.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-26T20:58:38",
"category": "Other",
"uuid": "cc6abc85-e4fd-4877-8928-cf40bd36e0bd"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545857918/",
"category": "External analysis",
"uuid": "cd8c1b95-440e-469f-b4da-2adb4dcce401"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "32/70",
"category": "Other",
"uuid": "a91f8039-b52b-4b4d-b56e-17a544538240"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--331ae947-e60d-48b4-9b21-325c2acde6ce",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:45.000Z",
"modified": "2018-12-26T21:42:45.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-24T12:02:45",
"category": "Other",
"uuid": "caf5dc57-8207-43de-96eb-e8de55273ee1"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/c617120895646f73bc880c0aca18990deda3db9be03f6b3564013e26dedfa3f9/analysis/1545652965/",
"category": "External analysis",
"uuid": "006f3849-b2a3-4383-b093-aa18f8577a47"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "17/69",
"category": "Other",
"uuid": "cfd788c2-f51f-4978-94ec-415097d849ba"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "x-misp-object",
"spec_version": "2.1",
"id": "x-misp-object--c3943d4b-93b1-4f83-b1db-a683329ce623",
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
"created": "2018-12-26T21:42:46.000Z",
"modified": "2018-12-26T21:42:46.000Z",
"labels": [
"misp:name=\"virustotal-report\"",
"misp:meta-category=\"misc\""
],
"x_misp_attributes": [
{
"type": "datetime",
"object_relation": "last-submission",
"value": "2018-12-26T20:58:38",
"category": "Other",
"uuid": "41a18372-be40-4844-b6db-820b3e6d5812"
},
{
"type": "link",
"object_relation": "permalink",
"value": "https://www.virustotal.com/file/f2bfe03ebacaa96e2897c8c01339e1ffa8c2222c3d6f89a76827548559b93af9/analysis/1545857918/",
"category": "External analysis",
"uuid": "41808df6-6a9f-4c20-94e8-fa206a56f065"
},
{
"type": "text",
"object_relation": "detection-ratio",
"value": "32/70",
"category": "Other",
"uuid": "08437b29-50a1-4188-aeeb-d7a9e1c7e60e"
}
],
"x_misp_meta_category": "misc",
"x_misp_name": "virustotal-report"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--f3bb2290-aeac-4fe2-8c8d-22adf9ba329f",
"created": "2018-12-25T16:39:30.000Z",
"modified": "2018-12-25T16:39:30.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5c225a33-d8ec-4e9d-9c63-42fe02de0b81",
"target_ref": "x-misp-object--d6dc565c-ce26-46ea-ad7b-4fd231f06f72"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4070241f-4f70-4c32-b510-749e82e6ea7a",
"created": "2018-12-26T21:42:47.000Z",
"modified": "2018-12-26T21:42:47.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5c225a33-d8ec-4e9d-9c63-42fe02de0b81",
"target_ref": "x-misp-object--c3943d4b-93b1-4f83-b1db-a683329ce623"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--c6a11ff5-ce64-404d-b8fd-17fa451c3cac",
"created": "2018-12-25T16:38:20.000Z",
"modified": "2018-12-25T16:38:20.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5c225a67-c328-4d9e-9076-a51902de0b81",
"target_ref": "x-misp-object--8d89302c-d05e-4557-85ae-4717b031f335"
},
{
"type": "relationship",
"spec_version": "2.1",
"id": "relationship--4d5662f1-7b32-4dea-9c33-a25a0aa348bd",
"created": "2018-12-26T21:42:47.000Z",
"modified": "2018-12-26T21:42:47.000Z",
"relationship_type": "analysed-with",
"source_ref": "indicator--5c225a67-c328-4d9e-9076-a51902de0b81",
"target_ref": "x-misp-object--331ae947-e60d-48b4-9b21-325c2acde6ce"
},
{
"type": "marking-definition",
"spec_version": "2.1",
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
"created": "2017-01-20T00:00:00.000Z",
"definition_type": "tlp",
"name": "TLP:WHITE",
"definition": {
"tlp": "white"
}
}
]
}
Reference in a new issue View git blame Copy permalink